Build flags: Enable CET on i686, x86_64 (#1538725)

buildflags.md

@@ -204,6 +204,8 @@ not), but their selection depends on the architecture:
     fully ABI-compatible and has adds very little run-time overhead, but
     is only available on certain architectures (currently aarch64, i386,
     ppc64, ppc64le, s390x, x86_64).
+*   ` -mcet -fcf-protection`: Instrument binaries to guard against
+    ROP/JOP attacks.  Used on i686 and x86_64.
 *   `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in
     the same compilation.  For such architectures, the RPM build process
     explicitly selects the architecture variant by passing this compiler

redhat-rpm-config.spec

@@ -6,7 +6,7 @@
 
 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
-Version: 85
+Version: 86
 Release: 1%{?dist}
 # No version specified.
 License: GPL+
@@ -88,6 +88,9 @@ Requires: dwz >= 0.4
 Requires: zip
 Requires: (annobin if gcc)
 
+# -fstack-clash-protection and CET requires GCC 8.
+Conflicts: gcc < 8.0
+
 Provides: system-rpm-config = %{version}-%{release}
 
 %global rrcdir /usr/lib/rpm/redhat
@@ -157,6 +160,9 @@ install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kmod.prov
 %{_rpmconfigdir}/macros.d/macros.kmp
 
 %changelog
+* Mon Jan 29 2018 Florian Weimer <fweimer@redhat.com> - 86-1
+- Build flags: Enable CET on i686, x86_64 (#1538725)
+
 * Thu Jan 25 2018 Florian Weimer <fweimer@redhat.com> - 85-1
 - Build flags: Switch to generic tuning on i686 (#1538693)
 

rpmrc

@@ -3,10 +3,10 @@ include: /usr/lib/rpm/rpmrc
 optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
 optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection
 optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
-optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
+optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection
 optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection
 optflags: ia64 %{__global_compiler_flags}
-optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
+optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection
 
 optflags: alpha %{__global_compiler_flags} -mieee
 optflags: alphaev5 %{__global_compiler_flags} -mieee -mcpu=ev5